Experts praise White House’s call for liability rule changes for software manufacturers

Software and sue.

When the White House introduced its National Cybersecurity Strategy in March, the administration included a provision suggesting that because software developers have avoided liability for their product’s lack of security, a reassessment of the field is overdue.

Avoiding vulnerabilities altogether rather than narrowly defining which ones make you liable to legal action strikes Jack Danahy of NuHarbor Security as a good goal. Danahy told IT Brew that, in his view, due diligence has fallen by the wayside in part because of the lack of accountability for developers that limited liability has provided them.

“We try to define having a vulnerability as the thing that makes you liable, as opposed to trying not to have a vulnerability,” the product and engineering VP said.

Using regulatory action to push software providers to take better care of their products can be effective. GitHub CSO Mike Hanley told IT Brew at RSA 2023 that “the optimistic case is hopefully that by shifting some of those incentives and the burdens back on the software producers, that will get us to better outcomes.”

“Today, we know that if there’s a software vulnerability or a defect, it’s not just that it rolls downhill,” he continued. “It rolls all the way downhill until it has clobbered the end consumer who has no recourse, no options, no compensation—that’s the cost of them participating in that ecosystem.”

But risk factors can change, and developers can’t always predict what kind of exploits are going to be used against their technology. That fear could lead to companies foregoing innovation in service of avoiding legal bills—a danger Danahy acknowledges but feels isn’t a major concern because failsafes and detection procedures will be put in place to stop attacks.

“By doing the right thing, you’re eliminating a vast amount of the threat surface that would otherwise exist and the vulnerabilities that would otherwise exist,” he said.

Oak9 CEO Om Vyas told IT Brew that while there are always two sides to every action the government takes, the ultimate goal of the administration’s liability strategy is a good one and outweighs concerns over innovation and difficulty. The growing pains will be real, though.

“In the short term, this is going to be difficult for many organizations,” Vyas said. “But I think in the long term, taking ownership and having responsibility is definitely going to be much more productive.”—EH